Increase in tcp traffic from spoofed source to bogon?

Is it all to 135 ? I drop lots of that at my border. Each time I traced
it back to the customer, it was some infected machine that was not being
natted for various reasons.

e.g.

Deny TCP 172.16.4.1:4616 192.100.103.4:135

We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
not yet allocated / routed ?

We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
I haven't bothered to check this out at the moment. One would suppose the
routers would blackhole the loopback traffic (or have a route to
127.0.0.1), but no... :slight_smile:

Pekka Savola wrote:

> Is it all to 135 ? I drop lots of that at my border. Each time I traced
> it back to the customer, it was some infected machine that was not being
> natted for various reasons.
>
> e.g.
>
> Deny TCP 172.16.4.1:4616 192.100.103.4:135
>
> We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
> not yet allocated / routed ?

We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
I haven't bothered to check this out at the moment. One would suppose the
routers would blackhole the loopback traffic (or have a route to
127.0.0.1), but no... :slight_smile:

I've been seeing this too. There are some jokers (SPAMmers?) out there
putting 127.0.0.2 in their MX records.

Our Solaris mail server actually puts 127.0.0.2 out on the wire (the
default route) despite,

  lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
          inet 127.0.0.1 netmask ff000000

the fact it looks like these should be routed to the loopback. This also
flies in the face of RFC1122, Sec. 3.2.1.3(g),

            (g) { 127, <any> }
                 Internal host loopback address. Addresses of this form
                 MUST NOT appear outside a host.

This is however historical UN*X behavior. We hardcoded FreeBSD to drop
127/8 heading out of the host only a year ago and got a few complaints
from people who were doing things they probably should not have been doing
or could have just as easily done with RFC1918 addresses.

I would expect 127/8 to be on any bogon list.